Making Life Simpler for DevOps with Security Practices
May 04, 2016

Anirban Banerjee
Onion ID

The next breach inside enterprises is expected to come from within. Many articles have been written about Insider Threats, the origination points, motivation, detection, DLP and more. I have talked to many an enterprise to understand the strategies and policies that are employed to manage this threat.

Privilege Management is a new age term, born from the crucible of Role Based Access Control (RBAC). Privilege Management refers to the ability of any enterprise to successfully manage, detect and mitigate any possibility of employee account misuse. The definition is quite terse and a bit wishful. In reality most organizations have very poor privilege management practices employed for their resources. In this blog, I will discuss why that is the case, what are some good strategies to launch effective privilege management in your organization and some of the gotchas that you can avoid.

The Many Faces of DevOps

Lets accept a fact: DevOps plays a multitude of roles inside most organizations. It is no longer: “Let's make sure our DNS stays up all the time.” It is: “Let's make sure our DNS stays up all the time and that we are DDoS resistant.”

Feel free to tag on a couple of more statements dealing with enhancing the security of the previously mentioned DNS system. The point is that DevOps is evolving at a breakneck speed and more enterprises are putting jobs on a DevOps person's plate than they can reasonably take off it.

The Pain Point

One of the constant thorns in the side is security. As if it's not hard enough to keep things running at web scale. It's great to read articles on hacker news about how you can use nodejs to power millions of requests a second without breaking a sweat. In reality though things are far from rosy. It's a lot of hard work, long nights, group huddles that get things to work, and, work with a good degree of reliability.

In this blog, I am going to talk about how a lot of DevOps teams are managing security practices and what can be done to reduce the amount of time spent on each aspect yet up the amount of security that you can actually eek out of the system.

Why Existing Tools Don't Alleviate the Pain

Using configuration management systems ensures that DevOps does not spend time on making sure the base OS images, packages and software on servers that make up a cluster are uniform and adhere to a common set of security guidelines.

Even though the tools mentioned above are very effective in providing network visibility they do not help DevOps when the proverbial (expletive deleted) hits the fan from a compliance perspective.

Consider the case where an employee account is misused to perform some actions that are not in compliance with a company's policies. In this case, using configuration management systems helps only to the effect that you can find out if someone accessed an account, when and possibly which server were affected. However if the employee is smart enough and tries to cover their tracks by wiping history, logs etc. it's a rabbit hole that DevOps and security teams have to now jump into.

This is a case of misalignment of expectations from a DevOps group. Unfortunately this happens more often than not because DevOps handles the heartbeat of any product and so is called in time and again to help with various teams like security.

Simple Fixes

To make life simpler for DevOps here are some high level tool category suggestions that will save time and headaches when push comes to shove:

1. Install and use a SSH key rotation system: This will help in keeping compliance reviews short and prevent attackers from causing massive damage.

2. Install and use a SSH session recording system: This helps in making sure that if ever a request comes in to analyze whether someone performed a specific action, DevOps does not have to spend a ton of time investigating issues.

3. Use an inventory management system for all your infrastructure: Something akin to security monkey for AWS. This helps you keep tabs on what you really see in the configuration management system is actually what is on your cloud IaaS account or not.

4. Use a blacklist of commands: Mistakes happen often in life and people often make costly mistakes. Don't let someone type rm -rf* on your production cluster by mistake.

I discussed the high level rationale for why a DevOps job is not easy. I followed that up with some concrete product areas that will help make life simpler and less hectic for everyone.

Dr. Anirban Banerjee is CEO of Onion ID.

Share this

Industry News

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022

cnvrg.io announced that the new Intel Developer Cloud is now available via the cnvrg.io Metacloud platform, providing a fully integrated software and hardware solution.

September 28, 2022

Kong introduced a number of new performance, security and extensibility features across its entire product portfolio, including major new releases of Kong Gateway, Kong Konnect, Kong Mesh, Kong Insomnia and Kong Ingress Controller, as well as new projects from the Kong Incubator.

September 28, 2022

BroadPeak Partners announced the availability of the new K3 API Connector.

September 28, 2022

Aqua Security announced a new end-to-end software supply chain security solution.

September 27, 2022

DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.

September 27, 2022

Delinea announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams.

September 27, 2022

The Apptainer community announced version 1.1.0 of the popular container system for secure, high-performance computing (HPC). Improvements in the new version provide a smaller attack surface for production deployments while offering features that improve and simplify the user experience.

September 26, 2022

Secure Code Warrior unveiled Coding Labs, a new mechanism that allows developers to more easily move from learning to applying secure coding knowledge, leading to fewer vulnerabilities in code.

September 26, 2022

ActiveState announced the availability of the ActiveState Artifact Repository.

September 26, 2022

Split Software announced the availability of its Feature Data Platform in the Microsoft Azure Marketplace.

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.